Bug 1054592 (CVE-2014-0001) - CVE-2014-0001 mysql: command-line tool buffer overflow via long server version string
Summary: CVE-2014-0001 mysql: command-line tool buffer overflow via long server versio...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0001
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1063398 CVE-2014-2440 (view as bug list)
Depends On: 1054041 1055875 1055876 1055880 1055882 1055883 1055884 1056457 1059545 1059546
Blocks: 1054621 1088219
TreeView+ depends on / blocked
 
Reported: 2014-01-17 05:39 UTC by Garth Mollett
Modified: 2023-05-13 01:28 UTC (History)
19 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-02-24 05:03:37 UTC
Embargoed:

Attachments (Terms of Use)
proposed fix (654 bytes, patch)
2014-01-22 19:05 UTC, Honza Horak 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0164 0 normal SHIPPED_LIVE Moderate: mysql security and bug fix update 2014-02-12 23:22:48 UTC
Red Hat Product Errata RHSA-2014:0173 0 normal SHIPPED_LIVE Moderate: mysql55-mysql security update 2014-03-11 15:49:07 UTC
Red Hat Product Errata RHSA-2014:0186 0 normal SHIPPED_LIVE Moderate: mysql55-mysql security update 2014-02-18 22:55:41 UTC
Red Hat Product Errata RHSA-2014:0189 0 normal SHIPPED_LIVE Moderate: mariadb55-mariadb security update 2014-02-19 23:45:24 UTC

Description Garth Mollett 2014-01-17 05:39:44 UTC 
The MySQL client in both MySQL and MariaDB contains a buffer overflow when reading the server version information.

This maybe exploited by connecting to a malicious/compromised db server or by a MITM and potentially allows execution of arbitrary code as the user running the client.
Comment 9 Honza Horak 2014-01-22 19:05:24 UTC 
Created attachment 854008 [details]
proposed fix

This fix is really simple, just check buffer size properly.
Comment 11 Tomas Hoger 2014-01-29 08:28:02 UTC 
Note that this issue affects mysql, the command-line tool / SQL shell, not the libmysqlclient library.
Comment 12 Huzaifa S. Sidhpurwala 2014-01-30 06:30:30 UTC 
This issue is now public via:

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.64
Comment 13 Huzaifa S. Sidhpurwala 2014-01-30 06:31:40 UTC 
This issue affects the version of mysql55-mysql as shipped with Red Hat Enterprise Linux 5.

This issue affects the version of mysql as shipped with Red Hat Enterprise Linux 6.
Comment 15 Huzaifa S. Sidhpurwala 2014-01-30 06:35:48 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1059546]
Comment 16 Huzaifa S. Sidhpurwala 2014-01-30 06:35:52 UTC 
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1059545]
Comment 17 Murray McAllister 2014-02-04 22:43:16 UTC 
Acknowledgements:

This issue was discovered by Garth Mollett of the Red Hat Security Response Team.
Comment 18 Karel Volný 2014-02-10 15:54:15 UTC 
*** Bug 1063398 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2014-02-12 18:24:29 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0164 https://rhn.redhat.com/errata/RHSA-2014-0164.html
Comment 20 errata-xmlrpc 2014-02-13 18:38:08 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0173 https://rhn.redhat.com/errata/RHSA-2014-0173.html
Comment 21 errata-xmlrpc 2014-02-18 17:57:07 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0186 https://rhn.redhat.com/errata/RHSA-2014-0186.html
Comment 22 errata-xmlrpc 2014-02-19 18:47:10 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0189 https://rhn.redhat.com/errata/RHSA-2014-0189.html
Comment 23 Tomas Hoger 2014-05-09 08:15:08 UTC 
MySQL upstream commit:
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4601
Comment 24 Tomas Hoger 2014-05-13 17:23:03 UTC 
This issue did not affect MySQL 5.0.  While those versions have the relevant sprintf() call, there's difference in the length of the version string returned by the server_version_string() function.

In versions before 5.1.34, buffer used to store server version string returned by server_version_string() was static with the length of 128.  The buffer glob_buffer to which sprintf prints the connection info was allocated to size of 512, hence sprintf could not overflow it and long version string presented by server would be printed truncted.

The server_version_string() function was changed in version 5.1.34 to avoid the problem with truncation of long version strings.  The function was modified to dynamically allocate buffer for the version string, possibly to be longer than glob_buffer size of 512.  Hence this security flaw was introduced.

Upstream bug, upstream commit, and release notes related to the server_version_string() change in 5.1.34 that introduced this issue:

http://bugs.mysql.com/bug.php?id=43153
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/2728.10.6
http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-34.html
Comment 25 Tomas Hoger 2014-09-12 09:18:47 UTC 
*** Bug 1088197 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.